What Is IP Risk Scoring?
IP risk scoring is the process of assigning a numeric score to an IP address based on how likely it is to be associated with fraudulent or malicious activity. Instead of a simple "VPN: yes/no" answer, a risk score gives you a number (typically between 0 and 100) that represents the overall threat level of the connection.
A score of 0 means the IP is a clean residential connection with no detected anonymization or abuse history. A score of 100 means the IP is a known Tor exit node or a proxy associated with active fraud campaigns. Everything in between represents varying degrees of risk.
This matters because the world is not black and white. A corporate VPN user is different from a Tor user. A datacenter IP running a legitimate monitoring service is different from one running a credential stuffing bot. Risk scoring captures these nuances and lets you respond proportionally.
Why Binary Detection Falls Short
Traditional VPN detection returns a simple flag: the IP is a VPN, or it is not. This creates an impossible choice: block all VPN users and lose legitimate traffic, or allow all VPN users and let fraud through.
Consider these real scenarios that binary detection cannot handle well:
The corporate VPN user
A legitimate customer connects through their company's VPN to make a purchase. Binary detection flags them as "VPN: true," the same result as a fraudster using a throwaway VPN to test stolen credit cards. Should you treat them the same?
The datacenter IP
An automated health check pings your API from an AWS EC2 instance. Binary detection flags it as "datacenter: true." But it is not a VPN, not a proxy, and not trying to be deceptive. A blanket block would break legitimate integrations.
The privacy relay user
An iPhone user with iCloud Private Relay enabled browses your site. Their IP is masked, but Apple preserves their approximate location. This is a low-risk privacy feature, not a fraud tool, but binary detection cannot tell the difference.
The cost of getting this wrong is real. False positives (blocking legitimate users) cost $15-25 per support ticket to resolve and erode user trust. For e-commerce, every false positive is a lost sale. Risk scoring solves this by letting you apply the right amount of friction to each risk level.
How Risk Scoring Works
A risk scoring system evaluates multiple signals about an IP address and combines them into a single score. The process works in three steps:
- 1
Signal Detection
The system checks the IP against multiple intelligence sources: VPN provider databases, Tor exit node lists, datacenter IP ranges, proxy detection systems, residential proxy intelligence, and abuse history feeds.
- 2
Signal Weighting
Each detected signal adds points to the risk score based on how strongly it correlates with abuse. Tor exit nodes add more points than hosting IPs because they carry higher fraud risk.
- 3
Recommendation
The final score maps to an actionable recommendation: allow the request, require verification, or block it. This removes the guesswork from your fraud prevention logic.
The Scoring Model: Signals and Weights
Different anonymization types carry different risk levels. A well-designed scoring model reflects these differences by assigning higher weights to signals that are more strongly associated with abuse.
Here is the scoring model used by VPN Signal's risk scoring system:
| Signal | Points | Why This Weight |
|---|---|---|
| Tor Exit Node | +80 | Maximum anonymity, public network, disproportionately associated with abuse. Tor traffic is a small fraction of total internet traffic but a large fraction of fraud attempts. |
| VPN | +60 | Commercial VPN services are used by both privacy-conscious users and bad actors. The 60-point weight puts VPN traffic in the "verify" zone, adding friction without outright blocking. |
| Proxy | +50 | HTTP and SOCKS proxies are commonly used for scraping, bot traffic, and evading IP blocks. Slightly lower risk than VPNs because they are easier to detect and less sophisticated. |
| Relay | +40 | Privacy relays like iCloud Private Relay are operated by trusted companies, preserve approximate location, and are rarely used for fraud. Lower weight reflects lower risk. |
| Hosting / Datacenter | +30 | Datacenter IPs suggest non-human traffic (bots, scrapers, automated tools). However, many legitimate services run from datacenters, so the weight is lower. |
Signals are additive. An IP that is both a known VPN provider and hosted in a datacenter would score 60 + 30 = 90, placing it firmly in the "block" zone. An IP that is only a hosting provider scores 30, which falls in the "allow" range. This additive model naturally handles edge cases.
Why not use machine learning for scoring?
ML-based scoring can outperform rule-based scoring in accuracy, but it is harder to explain, debug, and tune. An additive model is transparent: when a user is flagged, you can see exactly which signals contributed and by how much. This makes it easier to justify decisions, handle appeals, and comply with regulations. Many production systems start with additive scoring and layer ML on top for specific use cases.
Setting Thresholds and Actions
A score is only useful when it maps to an action. The three-tier model provides a clear framework:
Allow
Clean IP with no detected anonymization or abuse signals. Process the request normally with no additional friction. This covers the vast majority of your legitimate traffic.
Verify
Suspicious signals detected but not conclusively fraudulent. Add a verification step: CAPTCHA, email confirmation, or a brief cooldown. Legitimate users pass verification easily; bots and low-effort fraud are stopped.
Block
High-confidence malicious connection. Block the action or require strong verification (phone number, government ID). Tor exit nodes and known fraud proxies typically fall in this range.
These thresholds are starting points. The right thresholds for your application depend on the cost of fraud versus the cost of false positives in your specific context.
Implementing Risk Scoring in Your App
With an API that provides risk scores, implementation is straightforward. Here is a pattern that works for most applications:
// Middleware that adds risk-based friction to sensitive actions
async function riskBasedProtection(req, res, next) {
const ip = req.headers['x-forwarded-for']?.split(',')[0] || req.socket.remoteAddress;
const response = await fetch('https://api.vpnsignal.io/v1/check', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.VPNSIGNAL_API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({ ip })
});
const { risk_score, recommendation, is_vpn, is_tor } = await response.json();
// Attach risk data for downstream use
req.risk = { score: risk_score, recommendation, is_vpn, is_tor };
switch (recommendation) {
case 'block':
return res.status(403).json({
error: 'This action requires identity verification',
verification_required: 'phone'
});
case 'verify':
req.requiresVerification = true;
return next();
default:
return next();
}
}Caching for Performance
IP risk scores do not change by the second. Caching API responses significantly reduces latency and costs:
const cache = new Map();
const CACHE_TTL = 60 * 60 * 1000; // 1 hour
async function getRiskScore(ip) {
const cached = cache.get(ip);
if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
return cached.data;
}
const result = await checkIp(ip);
cache.set(ip, { data: result, timestamp: Date.now() });
return result;
}For production systems, use Redis or Memcached instead of an in-memory Map. VPN Signal's backend includes a built-in caching layer with a 1-hour TTL that handles this automatically.
Tuning Your Thresholds
Default thresholds (0-39 allow, 40-69 verify, 70-100 block) work for most applications, but you may want to adjust them based on your specific context. Here are guidelines for common scenarios:
| Scenario | Allow | Verify | Block | Reasoning |
|---|---|---|---|---|
| High-value payments | 0-29 | 30-59 | 60+ | Lower thresholds because chargebacks are expensive ($20-100 per dispute) |
| Content site | 0-49 | 50-79 | 80+ | Higher thresholds because false positives (blocking readers) hurt engagement |
| Account signup | 0-39 | 40-69 | 70+ | Default thresholds, balanced between fraud prevention and conversion |
| Regulated industry | 0-19 | 20-49 | 50+ | Strictest thresholds for compliance-sensitive use cases (gambling, finance) |
How to Measure and Adjust
Tuning thresholds is an iterative process. Track these metrics over time:
- False positive rate: What percentage of verified users (those who pass CAPTCHA or phone verification) had their risk score above the "verify" threshold? If it is over 10%, your threshold may be too low.
- Fraud rate in allowed traffic: What percentage of traffic below your "allow" threshold turns out to be fraudulent? If it is rising, your threshold may be too high.
- Verification pass-through rate: What percentage of "verify" tier users complete verification? High pass-through suggests most are legitimate; low pass-through suggests effective fraud blocking.
- Support ticket volume: Are users complaining about being blocked or asked to verify? Track this alongside your risk thresholds to find the optimal balance.
Risk Scoring vs. Alternatives
IP risk scoring is one approach to fraud prevention. Here is how it compares to alternatives:
| Approach | Strengths | Limitations | Best For |
|---|---|---|---|
| IP Risk Scoring | Fast, server-side, no client JS needed, nuanced decisions | Only sees IP-level signals, cannot identify specific users | API protection, signup flows, payment checks |
| Binary VPN Detection | Simple, easy to understand | No nuance, high false positives | Geo-fencing, basic access control |
| Device Fingerprinting | Identifies specific devices, persists across IP changes | Requires client-side JS, privacy concerns, fingerprintable | Multi-accounting detection, returning user identification |
| Behavioral Analysis | Catches sophisticated fraud that other methods miss | Requires significant data, complex to implement, latency | High-security environments, transaction fraud |
The most effective fraud prevention systems combine multiple approaches. IP risk scoring is often the first layer because it is fast, server-side, and requires no client-side code. It catches the majority of obvious threats, letting you reserve more expensive analysis (device fingerprinting, behavioral analytics) for the traffic that passes initial screening.
To learn more about how VPN detection methods work under the hood, read our complete guide to VPN detection. For API integration details, see the API reference documentation.
Frequently Asked Questions
What is a good IP risk score threshold?
There is no universal answer. The right threshold depends on your application and risk tolerance. A common starting point is: 0-39 allow, 40-69 add verification (CAPTCHA or email), 70-100 block or require strong verification (phone/ID). E-commerce applications often set lower thresholds than content sites because the cost of fraud is higher.
How is IP risk scoring different from a fraud score?
IP risk scoring evaluates the risk of the IP address itself: is it a VPN, proxy, Tor, datacenter, etc. A fraud score (like those from payment processors) considers broader signals including transaction amount, user history, device fingerprint, and behavioral patterns. IP risk scoring is one input to a broader fraud score.
Can IP risk scores change for the same IP address?
Yes. IP addresses are reassigned, VPN providers add and remove servers, and residential IPs can be temporarily recruited into proxy networks. Most providers update their databases daily or more frequently. Caching API responses for 1 hour strikes a good balance between freshness and performance.
Does IP risk scoring work for IPv6 addresses?
Yes, though coverage varies by provider. As IPv6 adoption grows, risk scoring databases are expanding their IPv6 coverage. The same principles apply: VPN providers, hosting companies, and proxy networks operate on IPv6 as well as IPv4.